Stealing Login Credentials from A Locked PC or Mac with A $50 Device

Rob Fuller, aka Mubix, a principal security engineer at R5 Industries, did an experiment and successfully snatched the login credentials of a locked computer that runs Windows and Mac OS. All it takes is a $50 USB device and about 13 seconds of time physically accessing a computer.

The hack works by plugging a flash-sized minicomputer into an unattended computer that’s logged in but currently locked. In about 13 seconds, the USB device will obtain the username and password hash used to log into the computer.

It works deadly simple and reliably on both Windows and Mac devices. Even Mubix himself didn’t believe it could be done like this.

First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)

The theory behind this is pretty simple. Plug in a USB device that acts like a network adapter and has a computer on the other end, the traffic sent from the locked computer can be easily captured, including the credentials.

Because USB is plug-n-play, the device gets installed automatically even if a system is locked out. Even though there are some restrictions as to what kind of devices are allowed to install at a locked state on newer operating systems like Windows 10, installing an Ethernet/LAN adapter seems to be on the whitelist. UAC isn’t helping in this case either since it doesn’t prompt for any PnP devices.

The devices required in this hack are Hak5 Turtle ($50)and USB Armory ($155), both of which are USB-mounted computers that run Linux. You will spend some time to configure the device using a hacking app known as Responder to act as a gateway, DNS server, WPAD server and others when plugged into a computer.

The obtained password hash will still need to be cracked before being put in use to gain full access to the computer or network. If the machine is running an old version of Windows that uses NTLMv1 hash, the game is well over because the hash can be converted to NTLM format no matter how complex the password is. And from there, it can be used in pass-the-hash-style attacks. An NTLMv2 hash used by the newer version of Windows would require more work to crack.

Mubix reports that some people have gotten a similar setup to work on a RaspberriPi Zero, making the cost of this hack $5 and about 10 minutes of configuration setup.

It’s a pretty scary discovery. According to Arstechnica, Mubix is working on a follow-up post suggesting ways to prevent the attack. In the meantime, he’s referring people to this mitigation technique, which he says works “pretty well.”

Also, disabling USB ports and turning off automatic device installation via Group Policy in a corporate network should be also helpful mitigating this vulnerability.